#!/bin/bash
[[ -r /etc/sysconfig/ng-pcap ]] && source /etc/sysconfig/ng-pcap
[[ -z "$NG_PCAP_LOG_DIR" ]] && NG_PCAP_LOG_DIR="/var/log"

# READ: We are using dumpcap because tshark always writes pcap files
# to /tmp unless you read from stdin as we are doing here
# You also cannot set the /tmp files to a fixed count or size unless 
# tshark is writing to a file which we do not want to do
dumpcap -f "udp dst port 53 or tcp dst port 53" -w - -P |\
tshark -q -l -r -				\
	 -Tfields				\
	-e frame.time_epoch			\
	-e ip.src				\
	-e udp.srcport				\
	-e tcp.srcport				\
	-e ip.dst 				\
	-e udp.dstport				\
	-e tcp.dstport				\
	-e dns.id				\
	-e dns.qry.class			\
	-e dns.qry.type 			\
	-e dns.qry.name -Y 'dns.qry.name != ""' | \
	awk '
		BEGIN {
                        TYPE[  1]="A"
                        TYPE[  2]="NS";
                        TYPE[  5]="CNAME";
                        TYPE[  6]="SOA";
                        TYPE[  7]="MB";
                        TYPE[  8]="MG";
                        TYPE[  9]="MR";
                        TYPE[ 10]="NULL";
                        TYPE[ 11]="WKS";
                        TYPE[ 12]="PTR";
                        TYPE[ 13]="HINFO";
                        TYPE[ 14]="MINFO";
                        TYPE[ 15]="MX";
                        TYPE[ 16]="TXT";
                        TYPE[ 17]="RP";
                        TYPE[ 18]="AFSDB";
                        TYPE[ 19]="X25";
                        TYPE[ 20]="ISDN";
                        TYPE[ 21]="RT";
                        TYPE[ 22]="NSAP";
                        TYPE[ 23]="NSAP-PTR";
                        TYPE[ 24]="SIG";
                        TYPE[ 25]="KEY";
                        TYPE[ 26]="PX";
                        TYPE[ 27]="GPOS";
                        TYPE[ 28]="AAAA";
                        TYPE[ 29]="LOC";
                        TYPE[ 31]="EID";
                        TYPE[ 32]="NIMLOC";
                        TYPE[ 33]="SRV";
                        TYPE[ 34]="ATMA";
                        TYPE[ 35]="NAPTR";
                        TYPE[ 36]="KX";
                        TYPE[ 37]="CERT";
                        TYPE[ 39]="DNAME";
                        TYPE[ 40]="SINK";
                        TYPE[ 41]="OPT";
                        TYPE[ 42]="APL";
                        TYPE[ 43]="DS";
                        TYPE[ 44]="SSHFP";
                        TYPE[ 45]="IPSECKEY";
                        TYPE[ 46]="RRSIG";
                        TYPE[ 47]="NSEC";
                        TYPE[ 48]="DNSKEY";
                        TYPE[ 49]="DHCID";
                        TYPE[ 50]="NSEC3";
                        TYPE[ 51]="NSEC3PARAM";
                        TYPE[ 52]="TLSA";
                        TYPE[ 53]="SMIMEA";
                        TYPE[ 55]="HIP";
                        TYPE[ 56]="NINFO";
                        TYPE[ 57]="RKEY";
                        TYPE[ 58]="TALINK";
                        TYPE[ 59]="CDS";
                        TYPE[ 60]="CDNSKEY";
                        TYPE[ 61]="OPENPGPKEY";
                        TYPE[ 62]="CSYNC";
                        TYPE[ 63]="ZONEMD";
                        TYPE[ 99]="SPF";
                        TYPE[249]="TKEY";
                        TYPE[250]="TSIG";
                        TYPE[251]="IXFR";
                        TYPE[252]="AXFR";
                        TYPE[253]="MAILB";
                        TYPE[256]="URI";
                        TYPE[257]="CAA";
                        TYPE[258]="AVC";
                        TYPE[259]="DOA";
                        TYPE[260]="AMTRELAY";
		};
		strtonum($7)==1 {$7 = "IN"};
		TYPE[strtonum($8)] {$8 = TYPE[strtonum($8)]};
		/.*/ { $1=$1; print; fflush(); };
	' \
	| awk '{$1=strftime("%FT%T." substr($1,length($1)-8,6) "%z", $1); print $0}' \
	>> "${NG_PCAP_LOG_DIR}/$(basename $(readlink -f $0)).log"
